The government must explain how the Covid-19 passports will be used and how they will ensure accurate identification, a privacy expert has said.
Last week, Transport Secretary Grant Shapps confirmed that the NHS app will be used as a Covid-19 passport from May 17, when international travel resumes.
Announcing the 12 countries on the UK’s ‘green list’, which will not require quarantine on their return, he said the passport would be used to prove that the British had had their vaccinations, or had been tested negative for the virus, before going on vacation.
But Eerke Boiten, professor of cybersecurity at De Montfort University in Leicester, told Digital Health News that “too little” is known about how these passports will be used.
“They need to tell us what are the scenarios they envision, what are the use cases? And then pin them as soon as possible, ”he said.
“At the moment, we know too little about how they are going to implement it.”
Boiten, who has previously expressed the privacy risks of some contact tracing apps, said in principle he was “less concerned” with Covid-19 passports if they were limited to international travel, but added that a strong authentication system should be in place. place to ensure confidentiality and appropriate use.
“As usual, the questions to ask are about authentication and the potential for abuse,” he told Digital Health News.
“What authentication guarantees do they rely on? Because owning a phone is not a strong enough authentication, or an insufficiently strong identification of the holder.
“It has to be tied to an identity system at some point and the use cases have to justify it.”
Boiten suggested that a QR code could be used to verify a person and only transfer necessary vaccination data.
“In all situations, we need to know that whoever presents the passport is the real passport holder. Not only that the passport information cannot be tampered with from scratch, but also that you cannot use someone else’s information in this situation, ”he said.
The NHS app allows users to access a range of NHS services on their smartphone or tablet. It was launched in 2018 and offers services including symptom checking and triage; making appointments; repeat the prescription command; access to patient records; opt-out of national data; and the preference for organ donation.
It already allows users to check their vaccination status if their doctor allows it, which applies to all jabs.
To better assess the potential security risks associated with using the NHS app as a Covid-19 passport, Boiten downloaded it and assessed the level of personal information he held about himself.
“In terms of privacy risks, I don’t think this adds significantly to the risks already present in the NHS app itself,” he told Digital Health News.
“The NHS app contains sensitive prescription information. Having that on your phone, with the right security measures, is already a situation where we need to worry about making sure sensitive information doesn’t leak out.
“Covid status, in some ways, is probably less sensitive than some of the other medical information, but on the other hand, it’s also more powerful if it allows people more autonomy.”
But he said a data protection impact assessment should be carried out before the deployment of Covid-19 passports to ensure privacy and security.
Following the confirmation of Shapps’ Covid-19 passports, a government spokesperson said that “security and privacy will be at the heart of our approach.” Adding a solution for people who did not own a smartphone was also under consideration.
When contacted by Digital Health News about how Covid-19 passports would be implemented, the Department of Health and Social Affairs was unable to provide further information.